Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: refactor deployer to run locally without auth #810

Merged
merged 16 commits into from
May 2, 2023
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 22 additions & 28 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -148,60 +148,54 @@ cargo run --manifest-path ../../../Cargo.toml --bin cargo-shuttle -- logs
The steps outlined above starts all the services used by shuttle locally (ie. both `gateway` and `deployer`). However, sometimes you will want to quickly test changes to `deployer` only. To do this replace `make up` with the following:

```bash
# first generate the local docker-compose file
# if you didn't do this already, make the images
USE_PANAMAX=disable make images

# then generate the local docker-compose file
make docker-compose.rendered.yml

# then run it
docker compose -f docker-compose.rendered.yml up provisioner
oddgrd marked this conversation as resolved.
Show resolved Hide resolved
```

This starts the provisioner and the auth service, while preventing `gateway` from starting up. Next up we need to
insert an admin user into the `auth` state using the ID of the `auth` container and the auth CLI `init` command:
This starts the provisioner and the auth service, while preventing `gateway` from starting up.
Next up we need to insert an admin user into the `auth` state using the ID of the `auth`
container and the auth CLI `init` command:

```bash
AUTH_CONTAINER_ID=$(docker ps -aqf "name=shuttle-auth") \
AUTH_CONTAINER_ID=$(docker ps -qf "name=auth") \
docker exec $AUTH_CONTAINER_ID ./usr/local/bin/service \
--state=/var/lib/shuttle-auth \
init --name admin --key test-key
```
> Note: if you have done this already for this container you will get a "UNIQUE constraint failed"
> error, you can ignore this.

Before we can run commands against a local deployer, we need to get a valid JWT and set it in our
`.config/shuttle/config.toml` as our `api_key`. By running the following curl command, we will request
that our api-key in the `Authorization` header be converted to a JWT, which will be returned in the response:
We need to make sure we're logged in with the same key we inserted for the admin user in the
previous step:

```bash
curl -H "Authorization: Bearer test-key" localhost:8008/auth/key
cargo shuttle login --api-key test-key
```

Now copy the `token` value (just the value, not the key) from the curl response, and write it to your shuttle
config (which will be a file named `config.toml` in a directory named `shuttle` in one of
[these places](https://docs.rs/dirs/latest/dirs/fn.config_dir.html) depending on your OS).

```bash
# replace <jwt> with the token from the previous command
echo "api_key = '<jwt>'" > ~/.config/shuttle/config.toml
```
We're now ready to start a local run of the deployer:

> Note: The JWT will expire in 15 minutes, at which point you need to run the commands again.
> If you have [`jq`](https://github.com/stedolan/jq/wiki/Installation) installed you can combine
> the two above commands into the following:
```bash
curl -s -H "Authorization: Bearer test-key" localhost:8008/auth/key \
| jq -r '.token' \
| read token; echo "api_key='$token'" > ~/.config/shuttle/config.toml
cargo run -p shuttle-deployer -- --provisioner-address http://localhost:5000 --auth-uri http://localhost:8008 --proxy-fqdn local.rs --admin-secret test-key --local --project <project_name>
```

Finally we need to comment out the admin layer in the deployer handlers. So in `deployer/handlers/mod.rs`,
in the `make_router` function comment out this line: `.layer(AdminSecretLayer::new(admin_secret))`.
The `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
oddgrd marked this conversation as resolved.
Show resolved Hide resolved

And that's it, we're ready to start our deployer!
Now that your local deployer is running, you can run commands against using the cargo-shuttle CLI.
To do that you should navigate into an example, it needs to have the same project name as the
one you submitted when starting the deployer above. Then you can use the CLI like you normally
would:

```bash
cargo run -p shuttle-deployer -- --provisioner-address http://localhost:8000 --proxy-fqdn local.rs --admin-secret test-key --project <project_name>
# the manifest path is the path to the root shuttle manifest from the example directory
cargo run --bin cargo-shuttle --manifest-path="../../../Cargo.toml" -- deploy
```

The `--admin-secret` can safely be changed to your api-key to make testing easier. While `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.

### Using Podman instead of Docker

If you want to use Podman instead of Docker, you can configure the build process with environment variables.
Expand Down
27 changes: 21 additions & 6 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 1 addition & 5 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,7 @@ members = [
exclude = [
"e2e",
"examples",
"resources/aws-rds",
"resources/persist",
"resources/secrets",
"resources/shared-db",
"resources/static-folder",
"resources",
"services",
]

Expand Down
28 changes: 4 additions & 24 deletions auth/src/user.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use axum::{
};
use rand::distributions::{Alphanumeric, DistString};
use serde::{Deserialize, Deserializer, Serialize};
use shuttle_common::claims::Scope;
use shuttle_common::claims::{Scope, ScopeBuilder};
use sqlx::{query, Row, SqlitePool};
use tracing::{trace, Span};

Expand Down Expand Up @@ -185,33 +185,13 @@ pub enum AccountTier {

impl From<AccountTier> for Vec<Scope> {
fn from(tier: AccountTier) -> Self {
let mut base = vec![
Scope::Deployment,
Scope::DeploymentPush,
Scope::Logs,
Scope::Service,
Scope::ServiceCreate,
Scope::Project,
Scope::ProjectCreate,
Scope::Resources,
Scope::ResourcesWrite,
Scope::Secret,
Scope::SecretWrite,
];
let mut builder = ScopeBuilder::new();

if tier == AccountTier::Admin {
base.append(&mut vec![
Scope::User,
Scope::UserCreate,
Scope::AcmeCreate,
Scope::CustomDomainCreate,
Scope::CustomDomainCertificateRenew,
Scope::GatewayCertificateRenew,
Scope::Admin,
]);
builder = builder.with_admin()
}

base
builder.build()
}
}

Expand Down
2 changes: 1 addition & 1 deletion common/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -94,4 +94,4 @@ ring = { workspace = true }
tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
tower = { workspace = true, features = ["util"] }
tracing-fluent-assertions = "0.3.0"
tracing-subscriber = { version = "0.3", default-features = false }
tracing-subscriber = { workspace = true }
49 changes: 49 additions & 0 deletions common/src/claims.rs
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,55 @@ pub enum Scope {
Admin,
}

pub struct ScopeBuilder(Vec<Scope>);

impl ScopeBuilder {
/// Create a builder with the standard scopes for new users.
pub fn new() -> Self {
Self(vec![
Scope::Deployment,
Scope::DeploymentPush,
Scope::Logs,
Scope::Service,
Scope::ServiceCreate,
Scope::Project,
Scope::ProjectCreate,
Scope::Resources,
Scope::ResourcesWrite,
Scope::Secret,
Scope::SecretWrite,
])
}

/// Extend the current scopes with admin scopes.
pub fn with_admin(mut self) -> Self {
self.0.extend(vec![
Scope::Deployment,
Scope::DeploymentPush,
Scope::Logs,
Scope::Service,
Scope::ServiceCreate,
Scope::Project,
Scope::ProjectCreate,
Scope::Resources,
Scope::ResourcesWrite,
Scope::Secret,
Scope::SecretWrite,
]);
self
}

pub fn build(self) -> Vec<Scope> {
self.0
}
}

impl Default for ScopeBuilder {
fn default() -> Self {
Self::new()
}
}

#[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
pub struct Claim {
/// Expiration time (as UTC timestamp).
Expand Down
4 changes: 4 additions & 0 deletions deployer/src/args.rs
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,8 @@ pub struct Args {
/// Uri to folder to store all artifacts
#[clap(long, default_value = "/tmp")]
pub artifacts_path: PathBuf,

/// Run deployer without auth locally
#[arg(long)]
pub local: bool,
}
86 changes: 86 additions & 0 deletions deployer/src/handlers/local.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
use std::net::Ipv4Addr;

use axum::{
headers::{authorization::Bearer, Authorization, Cookie, Header, HeaderMapExt},
http::Request,
middleware::Next,
response::Response,
Extension,
};
use hyper::{
client::{connect::dns::GaiResolver, HttpConnector},
Body, Client, StatusCode, Uri,
};
use hyper_reverse_proxy::ReverseProxy;
use once_cell::sync::Lazy;
use serde_json::Value;
use tracing::error;

static PROXY_CLIENT: Lazy<ReverseProxy<HttpConnector<GaiResolver>>> =
Lazy::new(|| ReverseProxy::new(Client::new()));

/// This middleware proxies a request to the auth service to get a JWT, which we need to access
/// the deployer endpoints, and we'll also need it in the claim layer of the provisioner and runtime
/// clients.
///
/// Follow the steps in https://github.com/shuttle-hq/shuttle/blob/main/CONTRIBUTING.md#testing-deployer-only
/// to learn how to insert an admin user in the auth state.
///
/// WARNING: do not set this layer in production.
pub async fn set_jwt_bearer<B>(
Extension(auth_uri): Extension<Uri>,
mut request: Request<B>,
next: Next<B>,
) -> Result<Response, StatusCode> {
let mut auth_details = None;

if let Some(bearer) = request.headers().typed_get::<Authorization<Bearer>>() {
auth_details = Some(make_token_request("/auth/key", bearer));
}

if let Some(cookie) = request.headers().typed_get::<Cookie>() {
auth_details = Some(make_token_request("/auth/session", cookie));
}

if let Some(token_request) = auth_details {
let response = PROXY_CLIENT
.call(
Ipv4Addr::LOCALHOST.into(),
&auth_uri.to_string(),
token_request,
)
.await
.expect("failed to proxy request to auth service");

let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
let convert: Value = serde_json::from_slice(&body)
.expect("failed to deserialize body as JSON, did you login?");

let token = convert["token"]
.as_str()
.expect("response body should have a token");

request
.headers_mut()
.typed_insert(Authorization::bearer(token).expect("to set JWT token"));

let response = next.run(request).await;

Ok(response)
} else {
error!("No api-key bearer token or cookie found, make sure you are logged in.");
Err(StatusCode::UNAUTHORIZED)
}
}

fn make_token_request(uri: &str, header: impl Header) -> Request<Body> {
let mut token_request = Request::builder().uri(uri);
token_request
.headers_mut()
.expect("manual request to be valid")
.typed_insert(header);

token_request
.body(Body::empty())
.expect("manual request to be valid")
}
Loading